...
| Code Block | ||
|---|---|---|
| ||
class SensitiveClass {
private char[] filename;
private Boolean shared = false;
protected SensitiveClass(String filename) {
this.filename = filename.toCharArray();
}
protected void replace(){
if(!shared)
for(int i=0;i<filename.length;i++) {
filename[i]= 'x';
}
}
protected String get(){
if(!shared){
shared = true;
return String.valueOf(filename);
} else
throw new Error("Error getting instance");
}
protected void printFilename(){
System.out.println(String.valueOf(filename));
}
}
class MaliciousSubclass extends SensitiveClass implements Cloneable {
protected MaliciousSubclass(String filename) {
super(filename);
}
public SensitiveClassMaliciousSubclass Clone() { // well-behaved clone() method
SensitiveClassMaliciousSubclass s = null;
try {
s = (SensitiveClassMaliciousSubclass)super.clone();
}catch(Exception e) { System.out.println("not cloneable"); }
return s;
}
public static void main(String[] args){
MaliciousSubclass ms1 = new MaliciousSubclass("file.txt");
MaliciousSubclass ms2 = (MaliciousSubclass) ms1.Clone(); // creates a copy
String s = ms1.get(); // returns filename
System.out.println(s); // filename is "file.txt"
ms2.replace(); // replaces all characters with x'
// both ms1.get() and ms2.get() will subsequently return filename = 'xxxxxxxx'
ms1.printFilename(); // filename becomes 'xxxxxxxx'
ms2.printFilename(); // filename becomes 'xxxxxxxx'
}
}
|
...